Hi, Sorry for being too lazy for looking into the source code, but I thought, that for people of knowledge it would be 10 sec to give me the right answer :-)
There is an interesting issue of high-jacking a session on a .net application (surely founded in bad programming rather than the framework) but I'd be interested if such a thing is possible with tomcat too. For german-speaking people : http://www.goodguy.de/Sicherheitsluecke_Neu_de/ For all the others, is it possible to overwrite the tomcat issued session (cookie session) by attaching a different session in the url? regards Leon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
